Microsoft Bhold Forefront Identity Manager [EOL] Reviews

• Extensible and reliable identity provisioning and synchronisation
• Extensible workflow and policy engine
• Extensible delegated access management platform with web UI
• PowerShell-aware web API

I consult in the implementation of this product for my customers. I advised where improvements are needed to improve operational efficiency, security compliance and transparency of policy.

The SharePoint-hosted web UI, while functional, lacks the features one would normally expect of a modern web application when used in its vanilla form. The BHOLD suite, which is an optional extension for RBAC modelling, should not be implemented without substantial budget being set aside for investment in additional training and understanding, and ensuring access to specialist resources is available when required.

I've been using FIM 2010 for five years, and prior to that another five years between the 2003 and 2007 versions.

FIM is more an Identity and Access Management (IAM) framework rather than an out-of-the-box (OOTB) solution. With customization invariably required, deployment must be carefully planned according to the solution architected.

The latest R2 release is stable and has no significant issues that affect implementation stability with regards to the core components.

The biggest limiting factor is that the sync engine cannot be configured for load balancing or redundancy, followed closely by the through-put limitations that apply to the FIM Service connector (management agent) when dealing with high volumes of objects under synchronization. Nonetheless, FIM has been successfully deployed to manage the entire identity life-cycle for very large sites, such as well over one million staff/student identities under management for the Queensland Education Department in Australia.
Also, when the "declarative" sync rules requiring "expected rule entries" (EREs) are employed, the sync overhead is further exacerbated. As such this type of sync approach should be avoided in lieu of a code-based rules extension or the "scoped" sync rule capability released with R2.

High, depending on availability. Support is available by subscription to the "Microsoft Premier Support Service" (PSS) and/or third party solution support. In complex scenarios where skilled technicians are required, some delays (while generally minimal) may be experienced in getting a full resolution. A managed service arrangement might be worth considering through a third party such as UNIFY Solutions to mitigate the need for this in most cases.

High, depending on availability. There is often a dependency on skilled resources that need to be accessed from outside the immediate PSS group.

No. Only earlier versions of FIM which are now mostly end-of-life.

Generally complex in terms of number of components required, number of deployment steps required, and time generally taken with some of those steps.

We implemented it in-house.

The knowledge gained to perform more implementations for other clients, and the potential to leverage our own complementary products and services.

Yes - Novell, Sun (now obsolete) and Oracle.

Be prepared to consider the total cost of ownership (TCO) of a FIM (or any IAM) solution when assessing its comparatively cheaper price-tag over the mainstream alternatives. Be sure to include training and resource development costs are covered in your budget, along with any ongoing "level three" type dependency on specialist resources to maintain and extend the solution once in Production. These costs may be minimized and service delivery/reliability optimised by leveraging a reputable managed service option such as the one available through UNIFY Solutions.

• Portal
• Group
• Password Management

It will improve productivity, reduce the administrative cost & help-desk by automating the identity management tasks (provisioning, de-provisioning, access management) for an organization.

It needs improvement on its reporting. Default reporting is not meeting client requirements.

I've used it for seven years.

Yes. Mostly when integrating to SAP or Oracle ERP solutions.

No issues encountered.

No issues encountered.

7/10.

8/10.

No previous solution used.

It was straightforward as the product has Technet articles.

I implement it for clients.

It reduces the help-desk cost.

Simple and more useful if you already use other Microsoft solutions as they are easy to integrate with each other.

Synchronization with applications for automation.

The product is helping the organization to use this as a request based service through which access also gets placed after approval from the portal itself, without human intervention being required.

SQL Deadlock issues for performances and internal application bugs.

Two years.

Yes, we faced performance issues was not normal or expected behavior.

Yes, random deadlock behavior.

For multiple things happening at the same time, we face few problems.

9 out of 10.

9 out of 10.

No previous solution used.

Yes, initial setup is simple and easy to understand with a Web based GUI.

We used a vendor team and their level of expertise is 10/10.

7 out of 10.

We didn't evaluate anything other options because FIM fit the requirements.

Go for it.

The synchronization server function, which is easy to manage, is a good and stable product. I'd rate this function 8/10.

It enabled managing the content of multiple Active Directory, keeping content consistently in-sync with each other and with external HR and card management solutions. It also made it easier to migrate content between those directories.

I was not so impressed by the SharePoint based portal/workflow/policy server part, especially with the way it was integrated with the synchronization server, I'd rate this function 6/10.

Also, the ease of configuring and (most important) manage workflows/Management Policy Rules (MPRs) in the portal/workflow server.

The synchronization server part for about six years (during this period the product changed names from MIIS to ILM to FIM)

The portal / workflow server part for about one and a half years.

• Slow performance, especially when large numbers of identities replicate from the sync server into the workflow server


• Hard to keep oversight of policies/workflows. It's especially hard to keep an overview on the total effect of all MPRs on identity changes in large, complex environments

The synchronization server proved to be very stable in a production environment.

It is possible to implement a scalable setup. However, good upfront planning for such an environment is needed from the beginning and is not straight forward.

I am working for a system integrator and helped several customers implement an identity and access management solution using different solutions.

Synchronization (if not too complex) requirements can be implemented pretty straightforwardly using the sync server. Larger implementations with high availability requirments, using workflows, will become complex.

Depending on the requirements, we would select the best fitting IAM product for our customers.

You will not resolve your identity and access management problems by implementing an IAM product like FIM 2010.

1. A good upfront design of the policies, procedures etc. etc. will help define the necessary requirements that will help you select the right IAM product


2. Do not only look at implementation and implementation costs. The biggest part of the effort/ money will go towards the management when the product is implemented in production

• Provisioning and life-cycle management
• Portal for identity management administration
• Extensible framework for the development of custom management agents
• Service Oriented Architecture for the integration of portal and clients with FIM service
• Password Synchronization
• Criteria based group management
• Group membership approval

As an identity and access management consultant, I deploy FIM to clients looking to implement security controls through the automated provisioning user accounts and improve operational efficiencies in managing digital identities. This typically leads to a better security posture and reduced operational costs as well as improvements through self service capabilities.

• Customised Reporting functionality
• Management of multi-valued attributes for managed identities (this can be achieved through use of the available extensible components for workflows however this is a common requirement and should be available OTB)
• Customisation of the Portal interface (limited customisation available)
• Support for SQL cluster using always on availability groups (support for database mirroring)
• Improvement to portal deployment on SharePoint Foundation.

Six years.

No issues encountered.

None, however, high spec servers are required.

None, solution is scalable based on implementation design.

8 out of 10.

6 out of 10.

I have implemented Tivoli Identity Manager, Oracle Identity Manager and NETIQ Identity Manager. By far FIM has been the easiest to deploy and support. It has fewer components to manage and because it is deployed on Window Servers, it uses the capabilities provided by the Windows platform for reporting, event management and service management.

Initial setup is very simple and is based on design. The solution components have their own requirements however these are easy to manage in most cases. Deploying the solution is a matter of deploying the executable and installing the application components on the servers. Servers can be deployed across multiple or single servers.

Solution is simple to setup in an Active Directory environment as authentication and authorisation is primarily against AD users and groups.

As an IAM consultant with FIM, most of the deployments have been through vendors. I would rate the consulting the team very high in this regard.

Costing varies as this is calculated based on server and client access license.

Before I recommend FIM where required, I usually evaluate FIM against IBM, Oracle and NETIQ. It's not in all cases that FIM is recommended but this depends on factors such as cost, supportability, integration options and speed of deployment. Integration with cloud services is also an option considered and this is becoming more and more mandatory for most clients I have worked with who are looking for security controls for information asset protection.

Perform lots of research, not only on the technology aspect but also on the business processes, business roles, how the business will support the solution and integration options. Investigate whether the licensing will be sufficient and if the external connector will be suitable for the organisation. Evaluate if all features of the solution need to be deployed in the same phase or if the features can be enabled across multiple phases. Also evaluate whether group management is important to the business as this feature of FIM is one of its highlights.

• FIM 2010 Portal
• Group Management
• DL Management using MS Office through FIM 2010
• FIM SSPR

Previously my client used MIIS but now it has been migrated to FIM 2010 SP1. MIIS was only using the Synchrinization Server. Using FIM 2010 other features are available like DL management through the portal, End User FIM Portal, and also FIM SSPR. These provide a good improvement in functions to our organization.

I have been working on Forefront Identity manager for three and a half years.

No, FIM 2010 SP1 is a good product for all those organization who want identity and access management.

It depends upon the organization, and what type of requirements they have. If they are using sufficient hardware and licenses required, I think it is a perfect product.

I have done many implementations in my past company and did not face any problem with scalability.

7 out of 10.

9 out of 10.

Before set-up, we just need to understand all the processes of installation and the requirements. If we have all the required information and data I don't think it will be a complex set-up.

Many times we provided this implementation and technical support with the vendor to other clients.

Before implementing this product, please make sure that what you want to implement is covered by FIM 2010, or firstly understand the features of FIM and then look into this.

For me the most valuable feature is being able to create a single source of truth between the ICT Department and Human Resources. The fact that there is a synchronisation between our HR database and Active Directory ensures that our end user information stays current which ties into our ITIL processes as well with Microsoft System Centre Service Manager

Within our Service request catalog, we frequently require authorisation from a requestors direct line manager or Business Unit representative. The fact that with FIM this information is kept up to date by setting up synchronisation between the HR databases and our Active Directory, ensures that the Service Requests are processed and fulfilled correctly and places the responsibility on our end users.

Our current FIM infrastructure suffers from stability issues. However this may be attributed to external factors or configuration.

In its current version, about 18 months, however since 2010 SPI a little over two years.

During the implementation of our current version of FIM, we did experience compatibility issues with SharePoint 2013. We had to employ external resources to make modifications to some of the library files within Microsoft SharePoint to get FIM to work correctly.

There are some issues regarding stability that require the Synchronisation services to be restarted on one or more of the Servers. We have built redundancy into our configuration to ensure that at least of of the application servers are always available, however this only provides around 80% up-time. we are investigating the configuration with our technical support representative from Microsoft.

During the initial planning phase of the FIM project, we recruited FIM specialists from Microsoft to assist our projects team to scale the FIM infrastructure to meet our organisations requirements. We have, until now, not encountered issues pertaining to scalability and to be honest, we do not use the product anywhere near it's full capabilities.

The customer service provided by both Microsoft and our Third party vendors has been a pleasure. I only wish more of our vendors would provide as good a service.

I would rate the service received an 8/10. I would prefer more detailed documentation upon fault resolution.

This is the first of this type of solution employed within our organisation. Previously all user information was processed manually or referenced via additional databases directly. User accounts had to be created and maintained by the Service Desk Staff

The implementation was done with the assistance of both Microsoft, external vendors and our internal projects team, which consisted of System Administrators and database specialists. The service we received from our external vendors was excellent.

Microsoft Forefront Identity Manager was the only product put forward during the steering committee and was sourced by the Regional Security Manager. We are however keen to see what the proposed newer incarnation of the product (Microsoft Identity Manager) will deliver.

Starting off, ensure that support staff receive sufficient training on the product. Also ensure that you implement the product on platforms for which it was designed. We have had many challenges trying custom build environments to suit.

The sync engine is key, and the ability to have it up and running in full in a very short time.

I don't think it has yet, for my current organization it seems more like a step back rather then a step forward, but the issue for them and why they made the change was based on cost, as the previous solution was too expensive to continue within the budget. I guess you could say that the biggest improvement was that we have more money because of it.

There are a lot of areas, the overall sync engine and the concept of 'code-less' provisioning are somewhat misleading. We have had to code plenty of scripts in both Cygwin externally to FIM as well as Powershell within FIM to get things to function how we needed them to.

I was first introduced to FIM in 2010 as a part of an implementation in a Fortune 500 company that was coming from manual identity management.

We did, and we actually backed out of the initial deployment because things were not working, provisioning was not occurring, but it turned out to be an issue with access rights.

So far, lots and they are database related mainly. We were fine when we had our own database server but the organization required us to eventually move our DBs to a cluster setup managed by the DBAs. Since then we have had performance issues with FIM like crazy. Database optimization, as always, is key.

We have not, it seems scalable enough for what we need.

Not very high at the moment, we deployed about 8 months ago. The reporting servers are not functioning properly and we have been given a lot of 'solutions' that just do not make sense.

We did, and we switched for financial reasons.

It seemed pretty simple, not a whole lot to get it going, workflow creation seemed difficult, it would have been nice to have had some good default types to build off of.

It was somewhat mixed. We had an outside consultant, the vendor, and our In-House team. The vendor is called Oxford and they were top-notch.

If you have nothing else, great, but if you have other stuff already, it's going to be painful.

If your organization has never used any kind of Identity Management Solution, I would rate it close to an 8/10, but if your organization had another solution, it would probably rate closer to a 3/10. The reason for this is that it is very good if it's not replacing anything because typically your user base is not used to 'something else'.

I have been in both situations and can very much tell the difference.